Services · IoT Security

IoT
security.

Whole-ecosystem testing of connected products — device, wireless, cloud, and companion app — against ETSI EN 303 645, NIST IR 8259, and the regulations shipping next.

Scope a Test Product Security
Standards
ETSI 303 645 · NIST IR 8259
Regulation
EU CRA · UK PSTI
Surfaces
Device + Cloud + App
Retest
Included
01 / Overview

One product. Four surfaces. One attacker.

A connected product is never one thing. Attackers chain a BLE flaw into a cloud weakness into a fleet-wide compromise — in an afternoon. We test the ecosystem the way they do: coordinated, across every surface, with operators who speak radio, firmware, backend, and mobile equally.

Engagements produce evidence suitable for ETSI EN 303 645, NIST IR 8259, UK PSTI, and EU CRA conformance — with remediation prioritized by fleet-level impact.

02 / Ecosystem Surfaces

Every surface. One assessment.

01
Device & Firmware

Physical teardown, debug-interface exploitation, firmware extraction, and secure-boot / OTA analysis on the device itself.

02
Wireless Protocols

Wi-Fi, BLE, Zigbee, Z-Wave, Thread, Matter, LoRaWAN, and proprietary RF — capture, replay, and protocol-level attacks.

03
Cloud Backend

MQTT / CoAP / AMQP brokers, device-provisioning APIs, multi-tenant isolation, and the authenticated REST / GraphQL behind the app.

04
Companion App

iOS and Android mobile apps against OWASP MASVS — including binding, pairing, and device-recovery abuse.

05
Identity & Provisioning

Device identity lifecycle, certificate handling, onboarding attacks, and manufacturer-trust abuse.

06
Update & Supply Chain

OTA signing, delivery integrity, rollback protection, and upstream supply-chain dependency risk (SBOM, SLSA).

03 / Methodology

Model. Cross-test. Scale. Verify.

01

Ecosystem Threat Model

Whole-product threat model — device, wireless, cloud, app, and identity — aligned to ETSI EN 303 645, NIST IR 8259, and the EU CRA.

02

Cross-Surface Testing

Coordinated testing across every surface by operators who chain findings into real-world compromise — not isolated silo assessments.

03

Abuse & Scale Analysis

Fleet-level reasoning — what happens when an attacker pivots from one device to the cloud, or from the cloud to every device.

04

Reporting & Retest

Standard-aligned findings, regulator-ready evidence, and a verified retest after remediation.

04 / Deliverables

What ships.

  • 01
    Whole-ecosystem threat model (device, wireless, cloud, app)
  • 02
    Cross-surface exploit chains and abuse scenarios
  • 03
    ETSI EN 303 645 / NIST IR 8259 coverage matrix
  • 04
    Regulator-ready evidence for UK PSTI and EU CRA readiness
  • 05
    Remediation roadmap prioritized by fleet-level risk
  • 06
    Verified retest after remediation
05 / Engage

Secure the
whole ecosystem.

Pre-launch assessment, postmarket continuous testing, or regulatory-readiness engagement. Scoped under NDA.

Scope an Engagement All Services